Passwords for 2 Million Internet Users Found on Cyber-Criminals' Server

By Robert Lemos |
Posted 2013-12-07

A botnet group compromised hundreds of thousands of users' systems, grabbing passwords, and caching them on a central server, an analysis of which was published by security researchers at consultancy Trustwave.

The passwords include user names and passwords for 1.6 million Website users, 320,000 email account credentials and tens of thousands for other services, including FTP, remote desktop and secure shell accounts, according to the analysis posted by the firm on Dec. 3. While the cache of credentials is significant, the size of the trove is not uncommon on the Internet, John Miller, security research manager of Trustwave, told eWEEK.

"There are many of these servers out there and they could contain hundreds of thousands to millions of compromised accounts," he said.

Nearly 58 percent of the credentials came from Facebook accounts, about 11 percent came from Yahoo and 10 percent from Google, according to the firm's analysis of the data. The credentials were not stolen from those services, but collected from the users' computers that had been infected by bot software known as Pony. Only 22 percent of the passwords were considered to have good or excellent security, according to Trustwave's analysis.

The passwords were intercepted when the victims typed them into their browser, so the strength of the passwords did not matter, but the research shows that users continue to choose easily crackable passwords.

"In this case, a stronger password would not have helped you, but this shows how weak some people's passwords are," Miller said. "Keeping software patched, however, could have prevented the original infection."

Companies should remind users not to use the same passwords for corporate accounts that they use on consumer sites, such as social media and cloud services, Lucas Zaichkowsky, enterprise defense architect at security-services firm AccessData, said in a statement.

"The real concern is that the criminals ... will look for accounts that belong to people working at high-value target organizations," he said. "Those users probably will use the same password at work that they used on these Websites."

In addition, users' ability to use Facebook as a single way to sign onto multiple sites could mean that the compromise of that credential will give attackers the ability to break into multiple accounts.

Companies have more options to defend against possible attacks. They can, for example, monitor their network for signs of the malware communicating with command-and-control servers on the Internet. Quite a few organizations maintain lists of potentially rogue or malicious servers. Those lists can be used as a way of blacklisting likely command-and-control communications, Trustwave's Miller said.